Refused to execute inline script because it violates the following Content Security Policy directive
2,239 views
Skip to first unread message
con...@urbansoft.co
Mar 3, 2019, 1:41:00 AM3/3/19
to Chromium-discuss
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-UITiqbXyaWS7NpwiFrMIbdXAZy5EXLRUHkpylF4504k='), or a nonce ('nonce-...') is required to enable inline execution.
this regarding one of the wbsite we developed in.Net
The website was kept under learning mode to do code scanning with help of a tool name "Fortiweb".
With regarding to the CSRF Protection , We have implemented all the aspect of general solutions at server level.
1. Moved all Inline script to external.
2. https://software-security.sans.org/developer-how-to/developer-guide-csrf implemented in server.
3. https://www.reflections-ibs.com/blog/article/hardening-your-http-response-headers-in-iis-server-security-headers all suggestions included.
For Content security policy included below line in Server level .
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' default-src 'self' style-src 'self';" >
but the device still shows two error on every page it shows to move dynamically generated script to external, we can’t remove or move ASP.NET dynamically generated JavaScript which as mentioned below,
THIS IS ONLY ENCOUNTERED IN CHROME (OTHERS BROWSERS ARE FINE)
1. Script _doPostBack
a. This script is adding dynamically by asp.net for handling any post back in the website like Button Submit, Drop down select, etc.
b. We are not adding the script from our side and it is created by the system only.
c. We couldn't find a solution for the same in internet.
2. Script Sys.Web
a. This script is adding dynamically by Script Manager for handling Ajax events. like update panel, timer etc.
b. In the website we have Chat window, for the chat window we are using Ajax Update Panel and Timer for its functionality.
c. If we remove the Script Manager this issue will be fixed, but Chat functionality will not work.
Find ERROR FYR:
khuhweb.khuh.org.bh/:35 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-UITiqbXyaWS7NpwiFrMIbdXAZy5EXLRUHkpylF4504k='), or a nonce ('nonce-...') is required to enable inline execution.
khuhweb.khuh.org.bh/:60 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-cGSTQKBgM3l6aqWOtdD2xeFQ9KF6sq6Op4l70ENWC9w='), or a nonce ('nonce-...') is required to enable inline execution.
this regarding one of the wbsite we developed in.Net
The website was kept under learning mode to do code scanning with help of a tool name "Fortiweb".
With regarding to the CSRF Protection , We have implemented all the aspect of general solutions at server level.
1. Moved all Inline script to external.
2. https://software-security.sans.org/developer-how-to/developer-guide-csrf implemented in server.
3. https://www.reflections-ibs.com/blog/article/hardening-your-http-response-headers-in-iis-server-security-headers all suggestions included.
For Content security policy included below line in Server level .
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' default-src 'self' style-src 'self';" >
but the device still shows two error on every page it shows to move dynamically generated script to external, we can’t remove or move ASP.NET dynamically generated JavaScript which as mentioned below,
THIS IS ONLY ENCOUNTERED IN CHROME (OTHERS BROWSERS ARE FINE)
1. Script _doPostBack
a. This script is adding dynamically by asp.net for handling any post back in the website like Button Submit, Drop down select, etc.
b. We are not adding the script from our side and it is created by the system only.
c. We couldn't find a solution for the same in internet.
2. Script Sys.Web
a. This script is adding dynamically by Script Manager for handling Ajax events. like update panel, timer etc.
b. In the website we have Chat window, for the chat window we are using Ajax Update Panel and Timer for its functionality.
c. If we remove the Script Manager this issue will be fixed, but Chat functionality will not work.
Find ERROR FYR:
khuhweb.khuh.org.bh/:35 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-UITiqbXyaWS7NpwiFrMIbdXAZy5EXLRUHkpylF4504k='), or a nonce ('nonce-...') is required to enable inline execution.
khuhweb.khuh.org.bh/:60 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-cGSTQKBgM3l6aqWOtdD2xeFQ9KF6sq6Op4l70ENWC9w='), or a nonce ('nonce-...') is required to enable inline execution.
PhistucK
Mar 3, 2019, 1:47:08 AM3/3/19
to con...@urbansoft.co, Chromium-discuss
If you configured content-security-policy per https://www.reflections-ibs.com/blog/article/hardening-your-http-response-headers-in-iis-server-security-headers as is, the error should not show up.
If you added script-src 'self', that would cause the error to show up because it overrides default-src https: data: 'unsafe-inline' 'unsafe-eval'.
You can read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
☆PhistucK
--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.
Reply all
Reply to author
Forward
0 new messages